Hype Cycle for Legal and Regulatory Information Governance, 2011

Research Publication Date: 26 July 2011 ID Number: G00214656 Hype Cycle for Legal and Regulatory Information Governance, 2011 French Caldwell Information governance is emerging as a critical discipline. Legal departments and IT organizations must work closely together to improve it. Many different information technologies can complement strategies to improve information governance. 2011 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. This publication may not be reproduced or distributed in any form without Gartner's prior written permission. The information contained in this publication has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information and shall have no liability for errors, omissions or inadequacies in such information. This publication consists of the opinions of Gartner's research organization and should not be construed as statements of fact. The opinions expressed herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner is a public company, and its shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartner's Board of Directors may include senior managers of these firms or funds. Gartner research is produced independently by its research organization without input or influence from these firms, funds or their managers. For further information on the independence and integrity of Gartner research, see "Guiding Principles on Independence and Objectivity" on its website, http://www.gartner.com/technology/about/ombudsman/omb_guide2.jsp

TABLE OF CONTENTS Analysis... 4 What You Need to Know... 4 The Hype Cycle... 4 The Priority Matrix... 8 Off the Hype Cycle... 10 On the Rise... 10 Legal GRC... 10 Continuous Controls Monitoring... 11 Enterprise Fraud Management... 13 Social Media Compliance... 14 Enterprise Internet Reputation Management... 16 At the Peak... 18 Board of Directors Communications Systems... 18 Privacy Management Tools... 20 Redaction Tools... 22 Vendor Risk Management... 23 Sliding Into the Trough... 25 Master Data Management... 25 Content-Aware Data Loss Prevention... 27 Enterprise Matter Management... 29 Fraud Detection... 30 Forensic Tools... 32 E-Discovery Software... 34 Enterprise Digital Rights Management... 36 Email Encryption... 38 Enterprise GRC Platforms... 40 Enterprise Information Archiving... 43 Foreign/Global Trade Compliance... 45 Climbing the Slope... 46 Database Encryption... 46 Intellectual Property Rights and Royalties Management Software... 48 Content-Aware DLP for Email... 51 Risk Management and Compliance Consulting Services... 52 Entering the Plateau... 54 Records Management... 54 Appendixes... 56 Hype Cycle Phases, Benefit Ratings and Maturity Levels... 58 Recommended Reading... 59 LIST OF TABLES Table 1. Hype Cycle Phases... 58 Table 2. Benefit Ratings... 58 Table 3. Maturity Levels... 59 Publication Date: 26 July 2011/ID Number: G00214656 Page 2 of 60

LIST OF FIGURES Figure 1. Hype Cycle for Legal and Regulatory Information Governance, 2011... 7 Figure 2. Priority Matrix for Legal and Regulatory Information Governance, 2011... 9 Figure 3. Hype Cycle for Legal and Regulatory Information Governance, 2010... 56 Publication Date: 26 July 2011/ID Number: G00214656 Page 3 of 60

ANALYSIS What You Need to Know Gartner defines "information governance" as the specification of decision rights, and an accountability framework to encourage desirable behavior in the valuation, creation, storage, use, archiving and deletion of information. It includes the processes, roles, standards, and metrics that ensure the effective and efficient use of information to enable an organization to achieve its goals. Information governance should be an element in planning an enterprise's information architecture. Legal and compliance challenges are most often the business drivers for beginning or enhancing information governance programs. Therefore, corporate compliance officers, general counsels and IT legal support managers have crucial roles in formulating policies, overseeing processes and enforcing standards around information governance. For these groups and roles, which are mostly concerned with mitigating and managing information risk, information governance will be important for meeting regulatory obligations and for building litigation management capacity. Legal and compliance departments must work with IT and line-of-business executives to determine the scope of the information risks they face, and weigh it against the cost of the programs they will need to implement to "do" information governance properly. IT has a role in facilitating and implementing those departments' decisions. In addition, many different information technologies and methodologies can complement strategies to improve information governance. Each group must take a series of steps to improve information governance to decrease risk and better respond to regulatory and legal requests: IT creates a good working inventory of electronically stored information (ESI), including active and archived databases, email, document and other content repositories, Web content, social media content, and ESI that is maintained, stored or archived by third parties. The compliance organization reviews the inventory and assigns retention requirements, while legal assesses the relative risks of the ESI in the inventory. Business users review the inventory and the legal assessment of risk, and overlay a view of the business value of the information. Using the input of legal teams and business users, IT creates a plan that allows them to get control of the information in place, and matches it with possible software applications that will support information governance: master data management, records management, email and file archiving, encryption, and document management. In parallel, if the organization faces a high number of ongoing requests for e-discovery, then legal and IT need to work together to specify requirements and purchase software. Legal, IT and business users create repeatable business processes for e-discovery and information governance. IT helps find software applications, if necessary, from the categories of management solutions including e-discovery; enterprise governance, risk and compliance (GRC) platforms; and emerging legal GRC applications that support workflow, reporting, policy management, collaboration and other requirements. The Hype Cycle Managing information risks is an inherent task of IT organizations. Typically, risks are considered in terms of threats to the information for example, vandals, people seeking to gain Publication Date: 26 July 2011/ID Number: G00214656 Page 4 of 60

unauthorized access to it, and denials of service from outside or inside threats. IT security technologies are employed to manage most of those risks. However, when faced with litigation and compliance risks, security technologies alone won't ensure the proper governance of the information and do not protect against all insider threats. Chief legal officers and corporate compliance officers are turning to IT legal support professionals to identify relevant technologies to manage litigation, compliance and reputation risks. With the recent financial crises, there's been more consideration given to information risks posed by the potential for litigation, regulations, and the abuse or misuse of information by employees, customers and partners. In a business environment characterized by uncertainty, regulatory compliance has grabbed the attention of senior executives and corporate boards. Among the plethora of legislation and regulation, several are related to information governance and are of particular interest to corporate executives, including: The U.S. Securities and Exchange Commission's requirements for brokerages to retain email, social media and other electronic communications Amendments to the U.S. Federal Rules of Civil Procedure (FRCP), which specifically call out electronically stored information Security breach privacy laws in the U.S. and Germany that require any company to notify customers that their personal information has been compromised Anti-fraud, anti-bribery and anti-corruption laws in the U.S., the U.K., Germany and elsewhere The commercial adoption of social networking technologies, such as Facebook, and the rapid adoption of alternative IT supply models, such as software as a service (SaaS) and cloud services, increase the risk of reputation and regulatory risks arising from the misuse or negligent management of personal and corporate information. Notably, social media compliance and enterprise Internet reputation management have been added to the Hype Cycle to address these issues. Risks increase even further when there is a failure to produce that information at the request of law enforcement agencies, regulators or requesting parties in a lawsuit. The cost of legal discovery actions can run into the millions of dollars, and the improper or unauthorized use of intellectual property can put entire business models at risk for example, the transformation of the music recording industry that's resulted from file sharing. The ongoing overhaul of the financial system's regulatory structure is leading to more-direct oversight, as well as a need to respond rapidly to regulators' information demands. In addition, companies that do business internationally, no matter where they are headquartered, are subject to an increasing number of cross-border regulations and/or regulations that conflict with one another in different political domains. As these litigation, regulatory and IT services trends continue, the hype around information governance in the context of risk management will grow. Many people who are not close to legal and regulatory issues expected a regulatory Armageddon as a result of the financial crisis, which could have led to the rapid emergence of radically new technology solutions. Certainly, there has been an onslaught of new regulations, but the public policy life cycle is very predictable, and there are professionals who manage that life cycle so that it is taken into account within the normal business cycle. This current public policy life cycle of increasing transparency and accountability has been in place since at least 2002, with the passing of the Sarbanes-Oxley Act in response to corporate scandals, such as Enron. Furthermore, the 2006 FRCP changes for digital evidence and the regulatory proliferation as a result of the 2008 financial meltdown are realities for most businesses, and they are adding to the regulatory information governance burden on enterprises' business processes. Publication Date: 26 July 2011/ID Number: G00214656 Page 5 of 60

The need to manage the effect of rule proliferation on processes, and thereby limit their impact, is the reason for an emerging new cadre of risk management and compliance professionals. These new professionals are in addition to the traditional audit, legal, investigation and security professionals with whom they often work. The adoption of tools that may have been used previously by audit, legal, investigation and security personnel, and extending them to a new group often requires changes in the functionality and scalability of the tools. This market adaptation can result in shifts in the Hype Cycle for example, the slowdown in the progression in the maturity of forensic tools, or the short lags followed by sudden bursts in the adoption of emerging technologies, such as legal GRC, early case assessment and privacy management tools. These discontinuities are evidence of a market in flux, adjusting to an expanding and shifting group of end users, who, in turn, are adjusting to new rules and business realities. Publication Date: 26 July 2011/ID Number: G00214656 Page 6 of 60

Figure 1. Hype Cycle for Legal and Regulatory Information Governance, 2011 Source: Gartner (July 2011) Publication Date: 26 July 2011/ID Number: G00214656 Page 7 of 60

The Priority Matrix This Hype Cycle focuses on information technologies that provide for the management of information risks directly related to litigation and regulatory compliance. These technologies complement information governance policies and processes, and they focus on improving an organization's capability to manage the risks posed by: Difficulties in storing and finding regulated data or content The loss of customer information and other personally identifiable information The cost of discovery in a legal or regulatory context Intellectual property mismanagement or misuse Compliance with regulations and other external mandates Reputational and corporate social responsibility issues The IT organization should work closely with the legal department to manage these risks and ensure that audit trails clearly link their activity to legal guidance. Notably, many of the technologies with high and transformational benefits focus on the legal and compliance risks associated with anti-fraud, anti-bribery and anti-corruption. These include enterprise fraud management, fraud detection and enterprise Internet reputation management. While anti-fraud technology has often been associated with protecting digital revenue streams, there are new reasons for investment due to new anti-bribery rules in the U.K. and enhanced enforcement of the U.S. Foreign Corrupt Practices Act. Major bribery scandals cannot just result in fines and penalties, but can also sully an enterprises reputation. Publication Date: 26 July 2011/ID Number: G00214656 Page 8 of 60

Figure 2. Priority Matrix for Legal and Regulatory Information Governance, 2011 Source: Gartner (July 2011) Publication Date: 26 July 2011/ID Number: G00214656 Page 9 of 60

Sample Vendors: IBM; Informatica; Kalido; Oracle; Orchestra Networks; Riversand Technologies; SAP; Software AG; Teradata; Tibco Software Recommended Reading: "Mastering Master Data Management" "Market Trends: Master Data Management, Worldwide, 2011" "MDM in 2011: Who's Interested in MDM and Why?" "Key Issues for Master Data Management, 2011" "'Big Data' Is Only the Beginning of Extreme Information Management" Content-Aware Data Loss Prevention Analysis By: Eric Ouellet Definition: Content-aware data loss prevention (DLP) tools enable the dynamic application of policy based on the classification of content determined at the time of an operation. These tools are used to address the risk of inadvertent or accidental leaks, or exposure of sensitive enterprise information outside authorized channels using monitoring, filtering, blocking and remediation features. DLP technologies include hardware and software solutions that are deployed at the endpoint (desktop and servers), at the network boundary and within the enterprise for data discovery purposes. These technologies perform deep-content inspection using sophisticated detection techniques that extend beyond simple keyword matching (for example, advanced regular expressions, partial document matching, Bayesian analysis and machine learning). DLP products also maintain detailed logs that can be used to support investigations. Mobile devices have arrived and taken hold in the enterprise, resulting in many organizations struggling to establish appropriate terms of use especially as they relate to the interaction with sensitive data. None of the DLP vendors represented in this Hype Cycle entry offered integrated DLP solutions on the mobile device itself due, in part, to the variability of platform versions (Android) and closed system architecture (ios). Many are providing pseudosupport by leveraging forced VPN connections to the corporate network and doing DLP inspection of content data as it exits the internal enclave via DLP network appliances. Organizations are also beginning to leverage the cloud as a meaningful component of their data centers. DLP vendors are planning offerings to support these initiatives during the next 12 months. Position and Adoption Speed Justification: While DLP use is rising, it is not yet considered an expected practice; even after a failed regulatory audit or loss of personally identifiable information (PII). It is unlikely that an organization would be considered negligent for not having implemented DLP. However, Gartner predicts that DLP will become part of the standard of due care in the U.S. by year-end 2013, and by 2015 in the EU and in Asia/Pacific. By year-end 2011, content-aware DLP will be a common feature in endpoint protection suites, leading to downward price pressure on content-aware endpoints. This market continues to experience rapid and steady growth, with an estimated total gross revenue of $50 million in 2006, $120 million in 2007, $215 million in 2008, $300 million in 2009 and $400 million in 2010. Content-aware DLP deployments and overall sales have been only minimally affected by the current economic downturn. A key factor in the ongoing maturation of both the market for content-aware DLP technology offerings and the offerings themselves is the acquisition of small, venture-capital-backed startups by large security suite vendors. These large vendors are able to support complex development life cycles and have extensive sales, partner Publication Date: 26 July 2011/ID Number: G00214656 Page 27 of 60

and reseller networks that can deliver content-aware DLP offerings to more-varied client deployment environments. More vendors of non-dlp products for example, email, intrusion detection, and identity and access management (IAM) technologies added or enhanced single-channel content awareness to their products during the past two years. The embedding of content awareness in more products will enable the broad, effective application of protection and governance policies across the entire enterprise IT ecosystem, and throughout all the phases of the data life cycle, becoming what Gartner refers to as "content-aware enterprises." Enterprise DLP vendors will support APIs that can manage common detection policies and response workflows by 2012. User Advice: Content-aware DLP technology is commonly perceived as being an effective way of preventing the theft of intellectual property and for prevention of accidental disclosure of regulated information. In practice, it has proved much more useful in helping identify and correct faulty business processes and accidental disclosures. Inadvertent data leakage actually represents the lion's share of the problem, so these automated controls are proving useful. However, motivated insiders will always find ways to steal data, and no technology will fully control this. As the technology matures, network-only mechanisms will evolve to a more comprehensive model that also addresses host protection. However, only the network components are mature enough for enterprise use today. Organizations should anticipate coverage beyond initial requirements, and should develop a phased, comprehensive strategy. Based on analysis of the Gartner client base, 40% of organizations start with the network (data in motion), 20% start with discovery (data at rest) and about 40% start with a content-aware endpoint. Through 2Q11, deployment trends show that organizations start deployments with either network or endpoint capabilities, then follow up with discovery. As the market continues to develop more content-aware mechanisms, the definition of DLP gets more complicated, vendor marketing messages become more convoluted and finding the right product gets that much harder. Products claiming to be in the DLP market have widely diverging definitions. Beware of vendor claims that present "the real" definition of DLP and the constant reassurance that, whatever you are looking for, it is what they have. It is critical at this stage of market development that organizations approach vendors with a set of independently developed, enterprise-specific requirements. Lastly, content-aware DLP is not a transparent security control like antivirus protection, firewalls and other security technologies. This means that end users will be impacted when deployed in any mode other than monitoring only. End users need to be trained on the proper way to interact with DLP systems and also educated on the proper handling of sensitive data. Business Impact: This technology is not foolproof, and it is relatively easy for a smart attacker to circumvent, but it effectively addresses the 80% of leakage that is due to accidents and ignorance. Organizations with realistic expectations are finding that this technology does, indeed, meet their expectations and significantly reduce nondeliberate outflows of sensitive data. Benefit Rating: Moderate Market Penetration: 5% to 20% of target audience Maturity: Early mainstream Sample Vendors: CA Technologies; Code Green Networks; Fidelis Security Systems; GTB Technologies; McAfee; Palisade Systems; RSA; Symantec; Trend Micro; Trustwave; Websense Recommended Reading: "Content-Aware DLP in Asia/Pacific" Publication Date: 26 July 2011/ID Number: G00214656 Page 28 of 60

sufficiently trained internal capability can perform the majority of forensic and e-discovery tasks at a lower cost, and can do it more quickly. Benefit Rating: Moderate Market Penetration: 5% to 20% of target audience Maturity: Mature mainstream Sample Vendors: AccessData Group; Guidance Software; Paraben; Technology Pathways Recommended Reading: "E-Discovery Software Market Shift Requires Magic Quadrant Analysis" "Magic Quadrant for E-Discovery Software" "Emerging Vendors in Malware Control, 2010" "Remote Forensic Software" "Network Forensics Market" "What Every IT Manager Should Know About Digital Forensics" E-Discovery Software Analysis By: Debra Logan Definition: Electronic discovery (e-discovery) software facilitates the identification, collection, preservation, processing, review, analysis and production of large amounts of electronically stored information (ESI) within an enterprise, to meet the mandates imposed by common-law requirements for discovery. These demands may be due to civil or criminal litigation, regulatory oversight or administrative proceedings. An independent group of consultants, legal scholars and vendors has created and put into the public domain an "E-Discovery Reference Model" ([EDRM] www.edrm.net) that maps traditional common-law discovery into a six-step, nine-process framework for technology. There are hundreds of vendors with products that fit within the EDRM framework; products that do everything from policy management and search and analysis to production and presentation. When Gartner focuses on the e-discovery software market, it is concentrating on the technology providers that work at the nexus where IT and legal staff meet: the preservation and collection of relevant ESI from the technologist's point of view; and the search, review and analysis of its content for the legal professional. Position and Adoption Speed Justification: E-discovery is being hyped by vendors, while enterprise adoption remains slow and steady picking up in late 2010 and early 2011. Adoption remains at 20% to 50% of enterprises, with most of them adopting only point products to cover a piece of the EDRM, rather than a "platform" solution to cover every aspect of e-discovery. There are companies that do have multiple products, and handle every aspect of e-discovery in-house with products from multiple vendors. The most common steps of the EDRM performed in-house are information management, identification, preservation, collection, processing and early case assessment. Interest in using information governance techniques and tools to control the amount of data that is kept by the enterprise is also growing. This year, the EDRM group changed the name of the first step of its process model from "information management" to "information governance." In the past year, U.S. courts have become clearer about expectations around discovery. Judges are emphasizing the need for cooperation between parties when it comes to discovery activities. Cooperation between litigants depends on knowing what data an enterprise is holding, where it is, what format it is in and how easily it can be accessed. E-discovery (therefore) involves IT, and internal cooperation between legal and IT is essential to cooperation Publication Date: 26 July 2011/ID Number: G00214656 Page 34 of 60

outside the walls of the corporation. Best practices are emerging, especially around the identification and preservation of ESI in enterprises which is the area of biggest risk for legal counsel and, therefore, companies. The market remains crowded with new vendors declaring themselves to be "in the market" on a regular basis. There are no integrated end-to-end solutions, and there may never be, because the market demand for this is uncertain. Many content archiving vendors have included e-discovery features in recent releases. Offsetting the software spend against the expenses incurred by outsourcing this work, many see straightforward cost savings in in-house capabilities. The market is also consolidating: many acquisitions have already taken place and there are many more to come. User Advice: The move to acquire e-discovery software is driven by efforts to reduce risk and drive cost efficiencies and savings. Savings come from paying less to outside e-discovery service providers and, ultimately, law firms. Information management software such as enterprise content archiving which frequently has e-discovery functionality can save money in storage and labor costs for IT. Legal and IT should always work together to specify a process that they will use when discovery becomes necessary. Suspending the routine deletion of data, putting data on litigation hold in a targeted way and seeking tools to make the process defensible and auditable, are the main points that need to be specified in the working process between legal and IT. Evaluate products that can aid in the identification, preservation and collection of potential evidence. Another important area of functionality is the ability of these tools to create, communicate, enforce and document compliance with litigation hold orders. Other areas of increasing interest are early case assessment and early stage processing, to avoid sending large amounts of redundant data to either outside processing providers or, worse (in terms of expense), to outside legal counsel. Because of the volatility of the market, organizations using or acquiring e-discovery tools should take market volatility into account in assessing potential offerings and in calculating ROI. Business Impact: Major enterprises undergo dozens, or even hundreds, of investigations per year, which can result in high costs to specialized litigation support companies and outside law firms. Software that supports the ability to conduct and manage discovery activities in-house not only saves money, but also enables enterprises to have higher levels of control over investigations. As awareness and knowledge of the issues spreads in the legal community, corporate lawyers are in need of advice from IT specialists. The most important considerations are specifying a defensible, repeatable business process (like any other business process) and making sure that the parties involved are well trained in what they must do, understand the legal ramifications of the task, and are equipped with the right tools for carrying it out. The market is maturing, with point products that handle part of the process being the norm. In 2010 and 2011 we have seen increasing consolidation, with vendors who specialize in enterprise information management acquiring more specialist companies in e-discovery, and specialist e- discovery firms merging or making acquisitions of other specialists. Gartner tracks the e- discovery market in a Magic Quadrant which, in 2011, contains evaluations of 24 vendors ("Magic Quadrant for E-Discovery Software"). The tools for e-discovery have emerged from several adjacent and related areas, such as forensic investigations, records and document management, email archiving, content analytics, and search and information access. There is also a large, stand-alone review and analytics market focused on providing review and analysis tools for legal personnel. The software-as-aservice model is particularly attractive here. The enterprise market continues to consolidate Publication Date: 26 July 2011/ID Number: G00214656 Page 35 of 60

around a set of tools to handle information management or information governance functions, identification, collection, preservation and processing. Aspects of the problem remain difficult, particularly those relating to information access and finding relevant data in the mass of content that most enterprises have. An emerging trend in the document review space is "predictive coding;" that is, taking sample documents that have been analyzed by human reviewers and using these to identify similar documents in a corpus that would have the same "code." In legal terms, these codes refer to whether or not a document relates to the case at all (relevant or not), or whether it is something that is "privileged" and should only be seen by the party and their attorneys. Using predictive coding can cut down on the amount of human review that is necessary in any given case and, therefore, cut down on the costs, because attorney review is the most expensive part of the legal process. More automation is being applied to all aspects of the litigation process, which most believe to be necessary given the volume of information generated by modern businesses. Benefit Rating: High Market Penetration: 20% to 50% of target audience Maturity: Early mainstream Sample Vendors: AccessData Group; Autonomy; CaseCentral; Catalyst Repository Systems; Clearwell; CommVault; Daegis; EMC; Epiq Systems; Exterro; FTI Technology; Gallivan Gallivan & O'Melia; Guidance Software; IBM; IE Discovery; Integreon; Ipro Tech; kcura; Kroll Ontrack; LexisNexis; Merrill Corporation; Nuix; Orange Legal Technologies; Recommind; StoredIQ; Symantec; Xerox Litigation Services; ZL Technologies; ZyLAB Recommended Reading: "Magic Quadrant for E-Discovery Software" "E-Discovery Market, 2011: Drivers, Inhibitors and Influencers" Enterprise Digital Rights Management Analysis By: Eric Ouellet; Ray Wagner Definition: "Digital rights management" (DRM) is the term used for applying access and usage controls on media assets (MP3 audio files, videos and so on). Enterprise digital rights management (EDRM) is a set of distinct technologies that is used to apply mandatory access and usage controls on enterprise applications, such as messaging (email), documents (word processing, spreadsheets and PDFs) and intellectual property (computer-aided design/computer-aided manufacturing files, design files and plans) by combining cryptography with identity services and access control policies to restrict distribution and how data can be used (cut, pasted, printed, viewed, edited and forwarded). Some solution providers also call their EDRM offering enterprise rights management (ERM) or information rights management (IRM). Typical access control policies applied to data might include "company confidential" to limit outside distribution, "individual access only" for personal health information or "legal department employees only." Policies are applied directly to the protected data as part of the data file and enforced by the EDRM client software working with the parent/workflow application. Position and Adoption Speed Justification: EDRM solutions have been available in one form or another for more than a decade. Although the technology is elegant and the value of EDRM is sound, there has been little progress in the EDRM market in the past five years. Although we are seeing a steady increase in EDRM interest, we are not seeing a matching increase in actual deployments because of lack of industry standardization and overall solution complexity. Early adopters, which are sensitive to intellectual property loss and data privacy especially among Publication Date: 26 July 2011/ID Number: G00214656 Page 36 of 60

is to enable a common set of compliance controls testing and risk assessments to support multiple reporting requirements. Although it is not possible to get to that perfect ideal, many organizations have reduced their compliance costs by 30% or more through reduction in complexity and redundancy. For enterprise risk management initiatives, improved business performance is a stretch goal for many organizations. Benefit Rating: Moderate Market Penetration: 20% to 50% of target audience Maturity: Early mainstream Sample Vendors: Achiever (Sword Group); AlignAlytics; Archer (EMC-RSA); BWise; Compliance 360; Cura Technologies; DoubleCheck; Enablon; List Group; LogicManager; Mega; Methodware; MetricStream; Mitratech; Modulo; OpenPages (IBM); Oracle; Protiviti; SAP; SAS; Software AG; Strategic Thought; Thomson Reuters; Xactium Recommended Reading: "A Comparison Model for the GRC Marketplace, 2011 to 2013" "Magic Quadrant for Enterprise Governance, Risk and Compliance Platforms" "Critical Capabilities of Enterprise GRC Platform Vendors" Enterprise Information Archiving Analysis By: Sheila Childs Definition: Leading enterprise information archiving solutions provide tools for capturing all or selected data in a distributed or centralized repository for efficient storage and access. Enterprise information archiving supports multiple data types (including email, file system and other content, such as Microsoft SharePoint) and is replacing application-specific archiving solutions. These tools prune data from active data stores based on policy, and provide access to the archived data via a stub or pointer, or via browser-based access to the archive. Retention management features also provide for policy-based deletion as data ages. Archiving is designed to keep the active data stores as small as possible, improve application performance and reduce recovery times. Email remains the predominant content type archived as part of an enterprise information archiving implementation; in this case, the need for users to maintain personal stores is eliminated, and established stores can be migrated to the archive. Features such as litigation hold, content retention management, search and data export are used to meet discovery and compliance requirements. Archiving has become an important part of e-discovery, providing functionality identified as part of the information management category of the Electronic Discovery Reference Model (EDRM). Enterprise information archiving products also provide a way to export data for use with specialpurpose or more feature-rich e-discovery tools. Tools for sampling and reviewing messages (email, instant messages and, in some, cases social media content) are available with many enterprise information archiving products, in response to requirements specific to the regulated portion of the financial industry. To meet the requirements of mobile workers, it is becoming important to provide users with the option to have a copy of their archived data on their local disks, and to provide access to archived data via mobile devices. Position and Adoption Speed Justification: The number of vendors offering enterprise information archiving solutions continues to increase, with most offering functionality and deployment models appropriate for the markets they target. Market growth remains healthy, particularly as the utilization of archiving as contributing technology for compliance and e- discovery gains favor with organizations implementing information governance programs. The Publication Date: 26 July 2011/ID Number: G00214656 Page 43 of 60

market has seen a number of changes in the past year. In particular, email archiving software as a service (SaaS) offerings have gained significant traction as alternatives to on-premises deployments (and are now growing at a faster pace). Support for capture and supervision of social media (Twitter, Facebook and LinkedIn, for example) has become a requirement in the regulated financial services industry (and interesting to other industries), and file system archiving as a component of EIA is evolving with an even stronger focus on storage management as unstructured data grows in volume. Some companies are looking to replace their current archiving products with others (in particular as cloud solutions gain traction), and a few consulting companies are offering migration services. Companies with large volumes of data and long retention periods overtax the system so that it might not be scalable or reliable, requiring improved index methods and, in some cases, major architectural changes. The appetite for email-only archiving solutions remains, but most organizations are looking to vendors with existing solutions or a road map for enterprise information archiving products. User Advice: As requirements to store, search and discover old data grows, and in the face of increased demand for large mailbox support as users struggle to keep up with increased numbers of messages and larger messages in their email systems, companies should implement an enterprise information archiving solution now, starting with email as the first content type to be managed. Consolidating archived data into regional repositories, a centralized repository or the cloud can support a quick response to discovery requests, and will facilitate a quick implementation of the organizational retention policies, providing the necessary specification of those policies has taken place. Migrating personal stores to the archive should be part of the deployment of an email archive system. Business Impact: Enterprise information archiving improves application performance, delivers improved service to users and enables a timely response to legal discovery and business requests for historical information. Archived data can be stored on less-expensive storage, with the opportunity to take some data offline or delete it. Moving old data to an archive also reduces backup and recovery times. Benefit Rating: High Market Penetration: 20% to 50% of target audience Maturity: Early mainstream Sample Vendors: Atempo; Autonomy; Bloomberg; C2C; CommVault; Computer Generated Solutions; EMC; HP; IBM; Iron Mountain; Kroll Ontrack; LiveOffice; MessageSolution; Metalogix Software; Microsoft; Mimecast; Mirapoint; OpenText; Sherpa Software; Symantec; Unify; Waterford Technologies; ZL Technologies Recommended Reading: "Enterprise Information Archiving Transforms the Strategy and Approach for Archiving" "Case Study: Standard Bank Dramatically Improves Storage Utilization and Compliance Through Enterprise Information Archiving" "Vendors Expand Enterprise Information Archiving With Support for Files: How to Select the Right Solution" "Magic Quadrant for Enterprise Information Archiving" Publication Date: 26 July 2011/ID Number: G00214656 Page 44 of 60